1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
|
#!/usr/bin/env python
#
# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
#
"""In-tree development server
The dev server requires a Kerberos TGT and a file based credential cache:
$ mkdir -p ~/.ipa
$ export KRB5CCNAME=~/.ipa/ccache
$ kinit admin
$ make lite-server
Optionally you can set KRB5_CONFIG to use a custom Kerberos configuration
instead of /etc/krb5.conf.
To run the lite-server with another Python interpreter:
$ make lite-server PYTHON=/path/to/bin/python
To enable profiling:
$ make lite-server LITESERVER_ARGS='--enable-profiler=-'
By default the dev server supports HTTP only. To switch to HTTPS, you can put
a PEM file at ~/.ipa/lite.pem. The PEM file must contain a server certificate,
its unencrypted private key and intermediate chain certs (if applicable).
Prerequisite
------------
Additionally to build and runtime requirements of FreeIPA, the dev server
depends on the werkzeug framework and optionally watchdog for auto-reloading.
You may also have to enable a development COPR.
$ sudo dnf install -y dnf-plugins-core
$ sudo dnf builddep --spec freeipa.spec.in
$ sudo dnf install -y python-werkzeug python2-watchdog \
python3-werkzeug python3-watchdog
$ ./autogen.sh
For more information see
* http://www.freeipa.org/page/Build
* http://www.freeipa.org/page/Testing
"""
from __future__ import print_function
import os
import optparse # pylint: disable=deprecated-module
import ssl
import sys
import time
import warnings
import ipalib
from ipalib import api
from ipalib.errors import NetworkError
from ipalib.krb_utils import krb5_parse_ccache
from ipalib.krb_utils import krb5_unparse_ccache
# pylint: disable=import-error
from werkzeug.contrib.profiler import ProfilerMiddleware
from werkzeug.exceptions import NotFound
from werkzeug.serving import run_simple
from werkzeug.utils import redirect, append_slash_redirect
from werkzeug.wsgi import DispatcherMiddleware, SharedDataMiddleware
# pylint: enable=import-error
BASEDIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
IMPORTDIR = os.path.dirname(os.path.dirname(os.path.abspath(ipalib.__file__)))
if BASEDIR != IMPORTDIR:
warnings.warn(
"ipalib was imported from '{}' instead of '{}'!".format(
IMPORTDIR, BASEDIR),
RuntimeWarning
)
STATIC_FILES = {
'/ipa/ui': os.path.join(BASEDIR, 'install/ui'),
'/ipa/ui/js': os.path.join(BASEDIR, 'install/ui/src'),
'/ipa/ui/js/dojo': os.path.join(BASEDIR, 'install/ui/build/dojo'),
'/ipa/ui/fonts': '/usr/share/fonts',
}
def get_ccname():
"""Retrieve and validate Kerberos credential cache
Only FILE schema is supported.
"""
ccname = os.environ.get('KRB5CCNAME')
if ccname is None:
raise ValueError("KRB5CCNAME env var is not set.")
scheme, location = krb5_parse_ccache(ccname)
if scheme != 'FILE': # MEMORY makes no sense
raise ValueError("Unsupported KRB5CCNAME scheme {}".format(scheme))
if not os.path.isfile(location):
raise ValueError("KRB5CCNAME file '{}' does not exit".format(location))
return krb5_unparse_ccache(scheme, location)
class KRBCheater(object):
"""Add KRB5CCNAME to WSGI environ
"""
def __init__(self, app, ccname):
self.app = app
self.ccname = ccname
def __call__(self, environ, start_response):
environ['KRB5CCNAME'] = self.ccname
return self.app(environ, start_response)
class StaticFilesMiddleware(SharedDataMiddleware):
def get_directory_loader(self, directory):
# override directory loader to support index.html
def loader(path):
if path is not None:
path = os.path.join(directory, path)
else:
path = directory
# use index.html for directory views
if os.path.isdir(path):
path = os.path.join(path, 'index.html')
if os.path.isfile(path):
return os.path.basename(path), self._opener(path)
return None, None
return loader
def init_api(ccname):
"""Initialize FreeIPA API from command line
"""
parser = optparse.OptionParser()
parser.add_option(
'--dev',
help='Run WebUI in development mode',
default=True,
action='store_false',
dest='prod',
)
parser.add_option(
'--host',
help='Listen on address HOST (default 127.0.0.1)',
default='127.0.0.1',
)
parser.add_option(
'--port',
help='Listen on PORT (default 8888)',
default=8888,
type='int',
)
parser.add_option(
'--enable-profiler',
help="Path to WSGI profiler directory or '-' for stderr",
default=None,
type='str',
)
api.env.in_server = True
api.env.startup_traceback = True
# workaround for RefererError in rpcserver
api.env.in_tree = True
# workaround: AttributeError: locked: cannot set ldap2.time_limit to None
api.env.mode = 'production'
start_time = time.time()
# pylint: disable=unused-variable
options, args = api.bootstrap_with_global_options(parser, context='lite')
api.env._merge(
lite_port=options.port,
lite_host=options.host,
webui_prod=options.prod,
lite_profiler=options.enable_profiler,
lite_pem=api.env._join('dot_ipa', 'lite.pem'),
)
api.finalize()
api_time = time.time()
api.log.info("API initialized in {:03f} sec".format(api_time - start_time))
# Validate LDAP connection and pre-fetch schema
# Pre-fetching makes the lite-server behave similar to mod_wsgi. werkzeug's
# multi-process WSGI server forks a new process for each request while
# mod_wsgi handles multiple request in a daemon process. Without schema
# cache, every lite server request would download the LDAP schema and
# distort performance profiles.
ldap2 = api.Backend.ldap2
try:
if not ldap2.isconnected():
ldap2.connect(ccache=ccname)
except NetworkError as e:
api.log.error("Unable to connect to LDAP: %s", e)
api.log.error("lite-server needs a working LDAP connect. Did you "
"configure ldap_uri in '%s'?", api.env.conf_default)
sys.exit(2)
else:
# prefetch schema
assert ldap2.schema
# Disconnect main process, each WSGI request handler subprocess will
# must have its own connection.
ldap2.disconnect()
ldap_time = time.time()
api.log.info("LDAP schema retrieved {:03f} sec".format(
ldap_time - api_time))
def redirect_ui(app):
"""Redirects for UI
"""
def wsgi(environ, start_response):
path_info = environ['PATH_INFO']
if path_info in {'/', '/ipa', '/ipa/'}:
response = redirect('/ipa/ui/')
return response(environ, start_response)
# Redirect to append slash to some routes
if path_info in {'/ipa/ui', '/ipa/ui/test'}:
response = append_slash_redirect(environ)
return response(environ, start_response)
if path_info == '/favicon.ico':
response = redirect('/ipa/ui/favicon.ico')
return response(environ, start_response)
return app(environ, start_response)
return wsgi
def main():
try:
ccname = get_ccname()
except ValueError as e:
print("ERROR:", e, file=sys.stderr)
print("\nliteserver requires a KRB5CCNAME env var and "
"a valid Kerberos TGT:\n", file=sys.stderr)
print(" export KRB5CCNAME=~/.ipa/ccache", file=sys.stderr)
print(" kinit\n", file=sys.stderr)
sys.exit(1)
init_api(ccname)
if os.path.isfile(api.env.lite_pem):
ctx = ssl.create_default_context(purpose=ssl.Purpose.CLIENT_AUTH)
ctx.load_cert_chain(api.env.lite_pem)
else:
ctx = None
app = NotFound()
app = DispatcherMiddleware(app, {
'/ipa': KRBCheater(api.Backend.wsgi_dispatch, ccname),
})
# only profile api calls
if api.env.lite_profiler == '-':
print('Profiler enable, stats are written to stderr.')
app = ProfilerMiddleware(app, stream=sys.stderr, restrictions=(30,))
elif api.env.lite_profiler:
profile_dir = os.path.abspath(api.env.lite_profiler)
print("Profiler enable, profiles are stored in '{}'.".format(
profile_dir
))
app = ProfilerMiddleware(app, profile_dir=profile_dir)
app = StaticFilesMiddleware(app, STATIC_FILES)
app = redirect_ui(app)
run_simple(
hostname=api.env.lite_host,
port=api.env.lite_port,
application=app,
processes=5,
ssl_context=ctx,
use_reloader=True,
# debugger doesn't work because framework catches all exceptions
# use_debugger=not api.env.webui_prod,
# use_evalex=not api.env.webui_prod,
)
if __name__ == '__main__':
main()
|
